UBE Defense
Before reading this article, please read the article "Defining UBE"
To defend against unsolicited bulk e-mail takes a bit of work to get correct. There isn't a one-size-fits-all solution to spam, but we do our best to prevent any e-mail that is guaranteed spam or spam senders, and then categorize the rest as accurately as possible.
The individuals and corporations that benefit from UBE are thieves. The environmental and economic costs are a net loss for every person on the Internet, so we do everything our power to prevent and report these problems as aggressively as possible.
KYNGIN e-mail delivery uses a multi-stage process to perform it's UBE defense. As an e-mail server attempts to send e-mail to any of our clients, it must pass through a gauntlet of operational tests to confirm it's valid. The information below details the steps that each e-mail message takes in the process lifecycle of e-mail delivery. Each step is listed here, and then described in detail below.
-
KYNGIN Denylist
-
Connection Validation
-
DNSBL Denylist
-
Domain Testing
-
Message Inspection
5a. Antivirus Tests
5b. Bayesian Tests
5c. Signatures & Network Tests
-
Delivery Sorting, Rejection, or Delivery
-
Mail Client Testing
1. KYNGIN Denylist
For the first step, the connecting server has to pass a frequently updated denylist. This denylist is created as blank by default, but is injected into over time for the most aggressive spammers. These are individuals that have targeted our clients directly, and we can confirm first hand are sending spam e-mails. In short order these will fill into our DNSBL services, but during the first few days we sometimes have to use these denylists to curb unwanted spam. Again, this is typically only the most aggressive senders that have singled out members.
2. Connection Validation
A few connection validation tests are performed to put a hard stop to connection attempts that don't pass standards compliant mail connectivity. These connection tests confirm that the sender doesn't prompt the mail servers with invalid connection content.
3. DNSBL
This test is a weighted result from a series of DNSBL Services. Each service is tested for a confirmed answer. These can be fine-tuned per client mail server, with the defaults being appropriate for well over 90% of our client base.
The DNSBL denylist approves e-mails by using a series of commercial and public DNSBL vendors. This lookup speeds typically happen in less than 1 second due to the performance of KYNGIN DNS servers. In nearly all cases we allow by default, and reject when 2 or more of our DNSBL providers have found the sender to be a spammer.
4. Domain Testing
This phase tests for broad message domain matches in the header of the e-mail that may match known spam senders. These databases are updated as quickly as every 5 minutes with world-wide 3rd party spam detection services.
5. Message Inspection
This stage analyzes content of the mail message looking for any fingerprints. This stage is separated into 3 parts: Antivirus, Bayesian, and Signatures.
5a. Antivirus Fingerprints
KYNGIN systems immediately look for any identified viruses attached to the e-mail. If these exist the e-mail is rejected.
5b. Bayesian Fingerprints
KYNGIN systems learn from on e-mail content stored in local user folders as well as the 'Junk' folder. These folders provide a message learning path for each individual mailbox. If a message lexemes are identifiable as spam (or not spam), they will be assigned weights based on spam likeliness.
5c. Signatures & Network
KYNGIN systems now compute a number of signature tests against the message content, looking for items such as known spam senders, textual content that matches spam likelihood, etc. Each of these tests performed provide additional weight or a reduction to the weight of the message which will indication spam likelihood.
6. Delivery Sorting, Rejection, or Delivery
Depending on the weights assigned in step 5, the message will be either sent to the Junk folder, the Inbox folder, or discarded (typically discards only happen for e-mails with viruses in them).
Stages 1-6 typically take less than 2 seconds in total to complete.
7. Mail Client Testing
This isn't on our end directly, but something that should be mentioned. During phase 6, the e-mail is delivered to the Inbox or Junk, shortly after you open your mail client (Thunderbird, Outlook, Webmail, etc) the mail messages in your folders will be synchronized.
At this phase, your mail client may use some of its built-in spam prevention utilities to move the e-mail to the proper location based on it's own learning capability. Thunderbird does work with our SpamAssassin headers, but both Outlook and Thunderbird (as well as other popular mail clients and anti-virus software) analyze the message for spam identities and block or sort the e-mail.
Additional Protections
KYNGIN additionally employs a 2 stage policy service for outbound connections. The policy service limits aggressive connections from your mail server to remote parties. This event allows us to monitor for high queue counts building on servers for possible spammers that have hijacked internal mailboxes (usually due to clients getting a virus or malware).
When queue counts climb beyond reasonable thresholds, we are notified and provided the time necessary to cleanup the problem, lock out the accounts causing the issues, and notify the clients.
On the inbound (connections from remote parties), we additionally have rate limitations in place if only to prevent denial of service connectivity from malfunctioning (but otherwise legitimate) mail servers.
Historical Note
KYNGIN has zero tolerance for UBE. Reference each step above, and then imagine the amount of CPU cycles (energy consumption, increased costs), and network transit consumption (delayed e-mails, increased costs) that are necessary to block the spam. There is no gentle way of saying this: "If you are a sender of unsolicited bulk e-mail, you are damaging society". You cost mail service providers and e-mail users countless amounts of resources, time, effort, and energy, in an interest to steal time of others. It's impossible to ethically justify the countless wasted human hours that are burnt for every theft made by a spammer. If you are a spammer, please become more educated, care less about taking shortcuts, and more about building sustainable products.